BUG Fixed XML injection in DPSAdapter

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 0.4.1 - 2013-02-28
 
  * Security: Payment Information Leak in Test Harness Controller (see 0.3.2)
+ * Security: XML Injection in DPSAdapter API Requests (see 0.3.2)
 
 ## 0.3.2 - 2013-02-28
 
@@ -28,6 +29,12 @@ In this case, don't forget to flush the manifest cache by appending ?flush=1 to
 
 Reporter: Nicolaas Thiemen-Francken
 
+ * Security: XML Injection in DPSAdapter API Requests
+
+The `doPayment()`, `postConnect()` and `doDPSHostedPayment()` methods on `DPSAdapter` did not sanitize
+method arguments before constructing an XML request from it, and passing it on to the DPS API.
+Since these arguments are typically derived from user input, the method is considered unsafe.
+
 ## 0.4.0 - 2013-02-20
 
  * Security: Information Leak in DPSAdapter (see 0.3.1)

code/DPSPayment/DPSAdapter.php

@@ -119,7 +119,9 @@ public function postConnect(){
 		$inputs['PostPassword'] = self::$pxPost_Password;
 		$transaction = "<Txn>";
 		foreach($inputs as $name => $value) {
-			$transaction .= "<$name>$value</$name>";
+			$XML_name = Convert::raw2xml($name);
+			$XML_value = Convert::raw2xml($value);
+			$transaction .= "<$XML_name>$XML_value</$XML_name>";
 		}
 		$transaction .= "</Txn>";
 
@@ -143,7 +145,9 @@ function doPayment($inputs, $payment) {
 			if($name == "Amount") {
 				$value = number_format($value, 2, '.', '');
 			}
-			$transaction .= "<$name>$value</$name>";
+			$XML_name = Convert::raw2xml($name);
+			$XML_value = Convert::raw2xml($value);
+			$transaction .= "<$XML_name>$XML_value</$XML_name>";
 		}
 		$transaction .= "</Txn>";
 
@@ -212,7 +216,7 @@ function doDPSHostedPayment($inputs, $payment) {
 		$request = new PxPayRequest();
 		foreach($inputs as $element => $value) {
 			$funcName = 'set' . $element;
-			$request->$funcName($value);
+			$request->$funcName(Convert::raw2xml($value));
 		}
 
 		// submit payment request to get the URL for redirection